🎉 Make social auth exceptions configurable #13596
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
settings_changes
manuel-sommer
force-pushed
the
make_social_auth_exception_configurable
branch
from
22d3969 to
8a715dd
Compare
Contributor
Author
|
Waiting for #13608 to get merged. |
🔴 Risk threshold exceeded.This pull request modifies dojo/middleware.py (multiple sensitive edits detected) and updates dojo/settings/settings.dist.py where distinct social-auth error messages could allow user enumeration via differing "AuthForbidden" vs "AuthFailed" responses. The middleware changes touch a sensitive path and should be reviewed against .dryrunsecurity.yaml configuration, and the settings change should be hardened to avoid information disclosure.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/middleware.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Information Disclosure via Distinct Error Messages in dojo/settings/settings.dist.py
| Vulnerability | Information Disclosure via Distinct Error Messages |
|---|---|
| Description | The system provides distinct error messages for different social authentication failure states. Specifically, the 'AuthForbidden' message ('You are not authorized to log in via this method.') implies that a user account exists but is not permitted to use social login, while the 'AuthFailed' message ('Social login failed.') is more generic. This distinction allows an attacker to enumerate valid user accounts by observing which error message is returned for a given login attempt. |
django-DefectDojo/dojo/settings/settings.dist.py
Lines 180 to 183 in 2c06e6e
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Maffooch
approved these changes
Nov 6, 2025
Member
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Is there a benefit of using a dict? I'm asking because we don't do that in other places and it makes the code look a bit verbose 😀
blakeaowens
approved these changes
Nov 7, 2025
Jino-T
approved these changes
Nov 7, 2025
Contributor
Author
|
done @valentijnscholten please review again |
valentijnscholten
approved these changes
Nov 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To enable admins to forward useres e.g. to a Service Desk